35 matches found
CVE-2022-22817
CVE-2022-22817 affects Pillow’s PIL.ImageMath.eval before 9.0.0, enabling evaluation of arbitrary expressions (including code execution) via the expression parameter; a workaround/change was introduced in Pillow 9.0.0 to restrict builtins. Upgrading to 9.0.0+ (per Pillow release notes) is the adv...
CVE-2019-16865
Pillow CVE-2019-16865 affects Pillow
CVE-2024-28219
CVE-2024-28219 affects the Pillow Python imaging library. In _imagingcms.c, a buffer overflow was introduced because strcpy was used instead of a safer copy like strncpy, impacting Pillow before version 10.3.0. The issue filename and function indicate a likely overflow related to fixed-length str...
CVE-2021-25290
Pillow up to version 8.1.1 contains a vulnerability in the TIFF image reader: a negative-offset memcpy with an invalid size in TiffDecode.c. This can lead to memory corruption. The issue is documented as CVE-2021-25290 and is referenced in multiple advisories (e.g., Debian, AlmaLinux, Amazon Linu...
CVE-2020-5312
CVE-2020-5312 is a Pillow vulnerability where libImaging/PcxDecode.c may overflow the PCX P mode buffer in Pillow versions before 6.2.2. The issue arises during decoding PCX images and could impact memory handling in affected builds. Public advisories and release notes indicate upgrading Pillow t...
CVE-2020-5313
Pillow (libImaging/FliDecode.c) has an FLI buffer overflow in versions before 6.2.2. Affected: Pillow/Python imaging library; root cause is an FLI decode buffer overflow. Impact is described as overflow in loading FLI images. Remediation: upgrade to Pillow 6.2.2 or later (per the CVE entry and ve...
CVE-2020-5311
Pillow’s vulnerability CVE-2020-5311 affects the libImaging/SgiRleDecode.c path and is triggered by an SGI buffer overflow in Pillow versions before 6.2.2. The issue is in the SGI image parsing code, not in a user-provided input path description; impact is partial to high depending on exposure of...
CVE-2020-35653
CVE-2020-35653 affects Pillow up to version 8.0.x, where the PCX decoder (PcxDecode) may trigger a buffer over-read when processing a crafted PCX file because the user-supplied stride is trusted for buffer calculations. The issue is documented across multiple adapters (e.g., Debian, Arch, AlmaLin...
CVE-2020-5310
CVE-2020-5310 affects Pillow’s TIFF decoding path, specifically libImaging/TiffDecode.c. The root cause is a TIFF decoding integer overflow tied to memory reallocation (realloc), exposing Pillow versions prior to 6.2.2 to potential crash or compromise when processing crafted TIFF images. Affected...
CVE-2021-27922
Pillow vulnerability CVE-2021-27922: Pillow before 8.1.2 can trigger excessive memory allocation when processing ICNS containers because the reported image size isn’t properly checked. This memory DoS is the explicit impact described in multiple sources (e.g., Astra Linux advisory referencing Pil...
CVE-2021-25293
The CVE-2021-25293 issue is in Pillow prior to 8.1.1, caused by an out-of-bounds read in SGIRleDecode.c. Affected: Pillow up to version 8.1.1. Impact: information about the exact impact is described in the CVE entry; the connected documents confirm the vulnerability. Remediation: upgrade Pillow t...
CVE-2021-25291
Pillow before 8.1.1 is affected by an out-of-bounds read in TiffDecode.c (TiffreadRGBATile) due to invalid tile boundaries. Root cause: boundary handling in TiffreadRGBATile as reported for CVE-2021-25291. According to linked advisories and release notes, remediation is to upgrade to Pillow 8.1.1...
CVE-2022-22815
Summary (supported by provided docs): CVE-2022-22815 concerns the Pillow Python imaging library. The issue is in path_getbbox() within path.c where ImagePath.Path is improperly initialized, enabling a buffer over-read/improper initialization that can cause memory access errors or crashes. Connect...
CVE-2021-25292
Pillow (Python Imaging Library fork) prior to 8.1.1 is affected by a vulnerability in its PDF format parser that allows a regular expression DoS (ReDoS) via a crafted PDF file due to a catastrophic backtracking regex. This can impact availability as indicated by the CVSS vector in the CVE entry, ...
CVE-2022-22816
CVE-2022-22816 affects Pillow’s image path handling. The vulnerability is a buffer over-read in path_getbbox() inside path.c during initialization of ImagePath.Path, present in Pillow versions before 9.0.0. The flaw can allow reading memory outside the intended bounds. The issue is mitigated by u...
CVE-2021-27921
CVE-2021-27921 concerns Pillow (Python Imaging Library). Affected: Pillow up to 8.1.1/8.1.2 before 8.1.2. Issue: memory-allocating DoS due to the reported size of a contained image not being properly checked for BLP containers, allowing a very large allocation. Impact: potential denial of service...
CVE-2021-27923
CVE-2021-27923 affects Pillow up to 8.1.1. It causes a denial-of-service via memory exhaustion because the reported size of a contained image is not properly checked for an ICO container, potentially triggering a very large memory allocation. Root cause: inadequate validation of ICO container ima...
CVE-2019-19911
Summary (CVE-2019-19911) : Pillow before 6.2.2 contains a DoS vulnerability in FpxImagePlugin.py where range() is applied to an unvalidated 32‑bit integer when the number of bands is large. On 32‑bit Windows Python this can trigger OverflowError or MemoryError due to the 2 GB limit; on 64‑bit Lin...
CVE-2021-25289
CVE-2021-25289 affects Pillow before 8.1.1. The issue is a heap-based buffer overflow in TiffDecode when decoding crafted YCbCr files, triggered by interpretation conflicts with LibTIFF in RGBA mode. This stems from an incomplete fix for CVE-2020-35654. The CVE is documented with high severity (C...
CVE-2020-10177
CVE-2020-10177 affects Pillow prior to 7.1.0, with multiple out-of-bounds reads in libImaging/FliDecode.c. Technical details across connected advisories confirm affected package is python-pillow and fixes are provided in Pillow 7.1.0+ (e.g., ALAS-2024-2648, ALAS2 advisories; Mageia notes referenc...
CVE-2020-35654
Pillow CVE-2020-35654 affects TiffDecode: heap-based buffer overflow when decoding crafted YCbCr files due to interpretation conflicts with LibTIFF in RGBA mode. Affected versions are Pillow before 8.1.0 (and related notes indicate an incomplete fix extending to 8.1.1 per downstream advisories). ...
CVE-2022-24303
Pillow (Python Imaging Library fork) is affected by CVE-2022-24303. The vulnerability arises in Pillow’s handling of spaces in temporary pathnames, enabling an attacker to delete files through path traversal-like behavior. This impacts Pillow versions before 9.0.1. The documented consequence is f...
CVE-2021-28677
CVE-2021-28677 affects Pillow before 8.2.0. The EPSImageFile.readline implementation mishandles line endings (combination of \r and \n) using a quadratic accumulation method, enabling a DoS during the open phase before an image is opened. Connected sources reference Pillow’s fix in 8.2.0 and note...
CVE-2021-25287
Pillow CVE-2021-25287 affects the Python Pillow library prior to 8.2.0, with an out-of-bounds read in J2kDecode (function: j2ku_graya_la). The related CVE-2021-25288 affects J2kDecode in j2ku_gray_i. Public advisories and CNVD entries corroborate the out-of-bounds read in these JPEG 2000 decoding...
CVE-2021-28676
CVE-2021-28676 affects Pillow prior to 8.2.0. The flaw is in FLI data handling where FliDecode did not properly check that the block advance is non-zero, which can lead to an infinite loop while loading. This is documented across multiple sources (e.g., Pillow release notes, advisories) as a load...
CVE-2023-44271
CVE-2023-44271 affects Pillow prior to 10.0.0, causing Denial of Service via uncontrolled memory allocation when using long text inputs in ImageDraw.textlength for truetype fonts. Multiple advisories (Debian, AlmaLinux/ALAS, Amazon Linux, CentOS/RHEL, Fedora) reference this vulnerability and reco...
CVE-2021-25288
Pillow CVE-2021-25288 is an out-of-bounds read vulnerability in the J2kDecode path (j2ku_gray_i) affecting Pillow before 8.2.0. Multiple sources confirm the flaw; remediation is to upgrade to Pillow 8.2.0 or later. Exploitation details are not provided in the supplied documents.
CVE-2021-28675
The CVE-2021-28675 issue affects Pillow (before 8.2.0). PSDImagePlugin.PsdImageFile does not perform a sanity check on the number of input layers relative to the data block size, enabling a potential Denial of Service when opening images with Image.open (prior to Image.load). Connected documents ...
CVE-2021-28678
CVE-2021-28678 affects Pillow prior to 8.2.0, where the BlpImagePlugin for BLP data failed to properly validate reads after seeking to file offsets. This can allow a denial-of-service by repeatedly decoding on empty data. Root cause: insufficient checks on data returned by reads in BlpImagePlugin...
CVE-2020-10378
In Pillow, CVE-2020-10378 is an out-of-bounds read in the PCX decoding path. Specifically, in libImaging/PcxDecode.c, when reading PCX files, state->shuffle may be instructed to read beyond state->buffer, enabling an out-of-bounds access. This vulnerability is documented for Pillow releases...
CVE-2020-10994
CVE-2020-10994 affects Pillow, specifically in libImaging/Jpeg2KDecode.c. The vulnerability consists of multiple out-of-bounds reads when decoding JP2 files, as described in the CVE entry and corroborated by connected advisories. Affected versions are Pillow before 7.1.0; remediation is to upgrad...
CVE-2020-10379
Summary: CVE-2020-10379 affects Pillow prior to 7.1.0, with two Buffer Overflows in libImaging/TiffDecode.c. This is documented in the CVE as a vulnerability with partial confidentiality, integrity, and availability impact (CVSS v3.1: 7.8, LOCAL, UI REQUIRED; CVSS v2: 6.8). The initial descriptio...
CVE-2022-45198
CVE-2022-45198 affects Pillow up to version 9.2.0, where improper handling of highly compressed GIF data (Data Amplification) can cause abnormal resource usage. Public sources confirm Pillow prior to 9.2.0 is vulnerable; advisories reference upgrades to mitigate. Debian LTS notes Pillow updates (...
CVE-2022-45199
CVE-2022-45199 affects the Python Pillow library. According to connected sources, Pillow versions before 9.3.0 are vulnerable to denial of service via the SAMPLESPERPIXEL pathway, with exploitation potentially impacting availability. The CVE is associated with a base score of 7.5 ( HIGH ) under N...
CVE-2026-42308
Pillow CVE-2026-42308 describes an integer overflow in font handling that occurs when a glyph advances by an excessively large amount. Affected is Pillow before version 12.2.0; the issue is resolved in 12.2.0. The CVSS vector indicates local, low complexity access with no privileges required and ...